Recently a customer called me with problems connecting to certain websites. Using Crossloop I remoted into his computer. I then installed the free version of logme in just incase i need to reboot, ( you won’t need the client there to allow you back in). However after the log me in install I noticed it was disabled. I did a few checks to see what was not working and found the following.
- windows update
- trendmicro wouldn’t load virus scanner
- random webpages could not be accessed
- crossloop was eventually blocked after a reboot
I tried a quick run a superantispyware and smithfraud fix and my usual recipe of removing spyware and junk from the computer. After a quick reboot I was hoping that logme in would work. However, it just got worse, not only did logmein not work but now crossloop would not allow me in. I ran the following.
- avgrootkit revealer
None of which had any effect on the system. I kept noticing a CA (computer associates) pop asking for a renewal in subrciption. I figured this was the problem. However the system was acting very strangly allowing some sites to load but not others. A virus was my first bet, but I needed to shut down the CA.
Shutting down CA was kind of tricky. First the Widnows firewall stated it was on even after I manually shut it down. Also I could not find any way to remove the CA services from running. Heres what I did:
- start\run services.msc
- disable any HIPS,CA programs
- great post here on how to stop and remove CA
- boot up with Bart PE and removed the components from the blog post linked to above
- run ccleaner to do registry cleanup
Once I had the CA removed I could then access the websites I needed and update windows which was badly needed. As far as I’m concerned CA was more of a threat than any help. CA was causing the problem, difficult to remove and not allowing Windows to update properly. Then CA wanted money to update the subscription. The computer is now up and running properly.